RFQ_Beijing Chengruisi Manufacturing_pdf.exe

General
Target

RFQ_Beijing Chengruisi Manufacturing_pdf.exe

Filesize

417KB

Completed

24-09-2021 11:58

Score
10 /10
MD5

a30b50f5e2ea1a2d8c6bdf581e97d478

SHA1

9943026649061e28fe7fd626b6d3e1c893131779

SHA256

3dafcb39d7cc251c9a8212a8e745e0d72f2c530bf699a9168a379fa25e36ec38

Malware Config

Extracted

Family xloader
Version 2.5
Campaign euzn
C2

http://www.heser.net/euzn/

Decoy

235296tyc.com

gold12guide.art

baibuaherb.com

weberwines.tax

chezvitoria.com

aidenb.tech

pitchdeckservice.com

surgeryforfdf.xyz

workunvaccinated.com

hrtaro.com

yourotcs.com

sonimultispecialityclinic.com

consultantadvisors.com

pentesting-consulting.com

dantechs.digital

longshifa.online

taweilai.net

imyusuke.com

cashndashfinancial.com

fasiglimt.quest

jakital.com

graywolfdesign.com

pepeavatar.com

predixlogisticscourier.com

football-transfer-news.pro

herbalmedication.xyz

esd66.com

janesgalant.quest

abcrefreshments.com

chaoxy.com

rediscoveringyouhealing.com

mcrjadr5.xyz

n4sins.com

faithful-presence.com

013yu.xyz

isystemslanka.com

newbeautydk.com

ethiopia-info.com

hgaffiliates.net

anodynemedicalmassage.com

esohgroup.com

clinicamonicabarros.com

rafathecook.com

londonescort.xyz

dreamites.com

webtiyan.com

cnnautorepair.com

soposhshop.com

aarohaninsight2021.com

arceprojects.com

Signatures 11

Filter: none

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1680-65-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/1680-66-0x000000000041D420-mapping.dmpxloader
    behavioral1/memory/2028-75-0x00000000000C0000-0x00000000000E9000-memory.dmpxloader
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1216cmd.exe
  • Suspicious use of SetThreadContext
    RFQ_Beijing Chengruisi Manufacturing_pdf.exeRFQ_Beijing Chengruisi Manufacturing_pdf.exeraserver.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1696 set thread context of 16801696RFQ_Beijing Chengruisi Manufacturing_pdf.exeRFQ_Beijing Chengruisi Manufacturing_pdf.exe
    PID 1680 set thread context of 11801680RFQ_Beijing Chengruisi Manufacturing_pdf.exeExplorer.EXE
    PID 1680 set thread context of 11801680RFQ_Beijing Chengruisi Manufacturing_pdf.exeExplorer.EXE
    PID 2028 set thread context of 11802028raserver.exeExplorer.EXE
  • Suspicious behavior: EnumeratesProcesses
    RFQ_Beijing Chengruisi Manufacturing_pdf.exeraserver.exe

    Reported IOCs

    pidprocess
    1680RFQ_Beijing Chengruisi Manufacturing_pdf.exe
    1680RFQ_Beijing Chengruisi Manufacturing_pdf.exe
    1680RFQ_Beijing Chengruisi Manufacturing_pdf.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
    2028raserver.exe
  • Suspicious behavior: MapViewOfSection
    RFQ_Beijing Chengruisi Manufacturing_pdf.exeraserver.exe

    Reported IOCs

    pidprocess
    1680RFQ_Beijing Chengruisi Manufacturing_pdf.exe
    1680RFQ_Beijing Chengruisi Manufacturing_pdf.exe
    1680RFQ_Beijing Chengruisi Manufacturing_pdf.exe
    1680RFQ_Beijing Chengruisi Manufacturing_pdf.exe
    2028raserver.exe
    2028raserver.exe
  • Suspicious use of AdjustPrivilegeToken
    RFQ_Beijing Chengruisi Manufacturing_pdf.exeraserver.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1680RFQ_Beijing Chengruisi Manufacturing_pdf.exe
    Token: SeDebugPrivilege2028raserver.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1180Explorer.EXE
    1180Explorer.EXE
    1180Explorer.EXE
    1180Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1180Explorer.EXE
    1180Explorer.EXE
    1180Explorer.EXE
    1180Explorer.EXE
  • Suspicious use of WriteProcessMemory
    RFQ_Beijing Chengruisi Manufacturing_pdf.exeExplorer.EXEraserver.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1696 wrote to memory of 16801696RFQ_Beijing Chengruisi Manufacturing_pdf.exeRFQ_Beijing Chengruisi Manufacturing_pdf.exe
    PID 1696 wrote to memory of 16801696RFQ_Beijing Chengruisi Manufacturing_pdf.exeRFQ_Beijing Chengruisi Manufacturing_pdf.exe
    PID 1696 wrote to memory of 16801696RFQ_Beijing Chengruisi Manufacturing_pdf.exeRFQ_Beijing Chengruisi Manufacturing_pdf.exe
    PID 1696 wrote to memory of 16801696RFQ_Beijing Chengruisi Manufacturing_pdf.exeRFQ_Beijing Chengruisi Manufacturing_pdf.exe
    PID 1696 wrote to memory of 16801696RFQ_Beijing Chengruisi Manufacturing_pdf.exeRFQ_Beijing Chengruisi Manufacturing_pdf.exe
    PID 1696 wrote to memory of 16801696RFQ_Beijing Chengruisi Manufacturing_pdf.exeRFQ_Beijing Chengruisi Manufacturing_pdf.exe
    PID 1696 wrote to memory of 16801696RFQ_Beijing Chengruisi Manufacturing_pdf.exeRFQ_Beijing Chengruisi Manufacturing_pdf.exe
    PID 1180 wrote to memory of 20281180Explorer.EXEraserver.exe
    PID 1180 wrote to memory of 20281180Explorer.EXEraserver.exe
    PID 1180 wrote to memory of 20281180Explorer.EXEraserver.exe
    PID 1180 wrote to memory of 20281180Explorer.EXEraserver.exe
    PID 2028 wrote to memory of 12162028raserver.execmd.exe
    PID 2028 wrote to memory of 12162028raserver.execmd.exe
    PID 2028 wrote to memory of 12162028raserver.execmd.exe
    PID 2028 wrote to memory of 12162028raserver.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Users\Admin\AppData\Local\Temp\RFQ_Beijing Chengruisi Manufacturing_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ_Beijing Chengruisi Manufacturing_pdf.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Users\Admin\AppData\Local\Temp\RFQ_Beijing Chengruisi Manufacturing_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\RFQ_Beijing Chengruisi Manufacturing_pdf.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1680
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\RFQ_Beijing Chengruisi Manufacturing_pdf.exe"
        Deletes itself
        PID:1216
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1180-69-0x0000000006330000-0x0000000006497000-memory.dmp

                          • memory/1180-71-0x0000000004C60000-0x0000000004D24000-memory.dmp

                          • memory/1180-79-0x0000000007420000-0x000000000758A000-memory.dmp

                          • memory/1216-76-0x0000000000000000-mapping.dmp

                          • memory/1680-68-0x0000000000200000-0x0000000000211000-memory.dmp

                          • memory/1680-65-0x0000000000400000-0x0000000000429000-memory.dmp

                          • memory/1680-66-0x000000000041D420-mapping.dmp

                          • memory/1680-67-0x0000000000A20000-0x0000000000D23000-memory.dmp

                          • memory/1680-70-0x0000000000240000-0x0000000000251000-memory.dmp

                          • memory/1696-64-0x0000000001F70000-0x0000000001F9C000-memory.dmp

                          • memory/1696-63-0x00000000055B0000-0x000000000560C000-memory.dmp

                          • memory/1696-62-0x0000000000310000-0x0000000000314000-memory.dmp

                          • memory/1696-59-0x0000000000190000-0x0000000000191000-memory.dmp

                          • memory/1696-61-0x00000000002D0000-0x00000000002D1000-memory.dmp

                          • memory/2028-72-0x0000000000000000-mapping.dmp

                          • memory/2028-74-0x0000000000A40000-0x0000000000A5C000-memory.dmp

                          • memory/2028-75-0x00000000000C0000-0x00000000000E9000-memory.dmp

                          • memory/2028-77-0x0000000001FF0000-0x00000000022F3000-memory.dmp

                          • memory/2028-78-0x0000000000900000-0x0000000000990000-memory.dmp

                          • memory/2028-73-0x0000000075211000-0x0000000075213000-memory.dmp